An Introduction to Supersingular Elliptic Curves and Supersingular Primes

Anh Huynh

Abstract

In this article, we introduce supersingular elliptic curves over a finite field and relevant concepts, such as formal group of an elliptic curve, Frobenius maps, etc. The definition of a supersin- gular curve is given as any one of the five equivalences by Deuring. The exposition follows Silverman’s “Arithmetic of Elliptic Curves.” Then we define supersingular primes of an elliptic curve and explain Elkies’s result that there are infinitely many supersingular primes for every elliptic curve over Q. We further define supersingular primes as by Ogg and discuss the Mon- strous Moonshine conjecture.

1 Supersingular Curves.

1.1 Endomorphism ring of an elliptic curve.

We have often seen elliptic curves over C, where it has many connections with modular forms and modular curves. It is also possible and useful to consider the elliptic curves over other fields, for instance, finite fields. One of the difference we find, then, is that the number of symmetries of the curves are drastically improved. To make that precise, let us first consider the following natural relation between elliptic curves.

Definition 1. Let E1 , E2 be elliptic curves. An isogeny from E1 to E2 is a morphism

φ: E E 1 → 2 such that φ( O) = O.

Then we can look at the set of isogenies from an elliptic curve to itself, and this is what is meant by the symmetries of the curves.

Definition 2. Let E be an elliptic curve. Let End( E) = Hom( E, E) be the ring of isogenies with pointwise addition

( φ + ψ)( P) = φ( P) + ψ( P) and multiplication given by composition

1 ( φψ)( P) = φ( ψ( P)) .

Then End( E) is called the endomorphism ring of E.

1.2 Classification of the endomorphism rings.

The first question we can ask is what kind of ring can this endomorphism ring be. The following objects are needed in the formulation of the answer.

Definition 3. (Order of an algebra) Let be an algebra finitely generated over Q. An K order of is a subring of which is finitely generated as Z-module and which satisfies R K K Q = . R ⊗ K

Example 4. Let be the quadratic imaginary field Q √ D for some positive D, its K −
O ring of integers. Then for each integer f > 0, the ring Z + f is an order of . O K

Definition 5. A (definite) quaternion algebra over Q is an algebra of the form

= Q + Qα + Q β + Qαβ K with the multiplication rules α2 ,β2 Q, α2 < 0,β2 < 0, βα = αβ. ∈ −

Then we have the following theorem.

Theorem 6. (Classification of endomorphism ring) The endomorphism ring of an elliptic curve is either Z (rank 1), an order in a quadratic imaginary field Q √ D (rank 2), or
an order in a quaternion algebra (rank 4). −

(See Silvermans’s “Arithmetic of the Elliptic Curves” , Chapter III, Section 9 for a proof.)

If char( K) = 0, then End( E) Q cannot be a quaternion algebra (see remark to Theorem 12). For example, in class all⊗ we have seen so far are elliptic curves over C, so they only have endomorphism ring as Z or an order in a quadratic imaginary field.

Example 7. The curve C/Z[ i] has endomorphism ring Z[ i] . The curve C/Z[ √ 2 ] has − endomorphism ring Z.

If K is a finite field, however, then End( E) is always larger than Z. In fact, the particular class of elliptic curves that have endomorphism ring as an order in a quarternion algebra (the maximum possible) are called supersingular elliptic curves, the main object of this exposition.

2 1.3 Definition of a supersingular curve.

As alluded to before, a supersingular elliptic curve is one that has the maximum number of symmetries: End( E) is an order in the quaternion algebra. In his 1941 paper, Deuring proved the equivalence of this and four other conditions, therefore each of which can then be considered as a definition for a supersingular curve. The main goal of this section is to state the theorem. We will need the following objects.

Definition 8. Let R be a ring. A (one-parameter commutative) formal group defined over R is a power series F( X,Y) R[[ X,Y]] satisfying: F ∈ a ) F( X,Y) = X + Y + (terms of degree 2 ). b ) F( X,F( Y,Z)) = F( F( X,Y) ,Z) . ≥ c ) F( X,Y) = F( Y,X) d ) There is a unique power series i( T) R[[ T]] such that F( T , i( T)) = 0. e ) F( X , 0) = X,F(0,Y) = Y. ∈

In particular, for an elliptic curve E given by a Weierstrass equation with coefficients in R,

2 3 2 E: y + a1 xy + a3 y = x + a2 x + a4x + a6, the formal group associated to E, denoted by Eˆ , is given by the power series

2 2 3 2 2 3 F( z , z ) = z + z a z z a ( z z + z z ) (2a z z ( a a 3a ) z z + 2a z z ) + 1 2 1 2 − 1 1 2 − 2 1 2 1 2 − 3 1 2 − 1 2 − 3 1 2 3 1 2 ∈ Z[ a1 , , a6 ][[ z1 , z2 ]] .

Definition 9. Let R be a ring of characteristic p > 0. Let , /R be formal groups and f: F G a homomorphism defined over R. The height of f, denoted by ht( f) , is the largest F → G h integer h such that f( T) = g Tp for some power series g( T) R[[ T]] . If f = 0 then
∈ ht( f) = . The height of , denoted ht( ) , is the height of the multiplication map [ p]: . ∞ F F F→F

Example 10. If m 1 is prime to p, then ht([ m]) = 0, because [ m] T = mT + . ≥

Definition 11. (Frobenius map) Let K be a field of positive charateristic p, and let q = pr. Let f ( q) be the polynomial obtained from f by raising each coefficient of f to the q-th power. Then for each curve C/K we can define a new curve C( q) /K by describing its homogeneous ideal as

I C( q) = ideal generated by f ( q) : f I( C) .
 ∈

The q-th power Frobenius morphism is the natural map from C to C( q) given by

φ: C C( q) →

q q

φ([ x0, , xn]) = [ x0 , , xn] .

3 Definition 12. Let φ: C1 C2 be a map of curves defined over K. If φ is constant, we define the degree of φ to be →0; otherwise we say that φ is finite and define its degree by

deg φ = [ K( C1 ): φ∗ K( C2 )] .

We say that φ is separable, inseparable, purely inseparable if the extension K( C1 )/ φ∗ K( C2 ) has the corresponding property.

In particular, the Frobenius map is inseparable. Now we can state Deuring’s theorem.

Theorem 13. (Deuring) Let K be a perfect field of characteristic p and E/K an elliptic curve. For each integer r 1 , let ≥

( pr ) ( pr ) φr: E E and φˆr : E E → → be the pr-th power Frobenius map and its dual. a ) The following are equivalent. i. E[ pr] = 0 for one (all) r 1 . ≥ ii. φˆr is (purely) inseparable for one (all) r 1 . ≥ iii. The map [ p]: E E is purely inseparable and j( E) F p2 . iv. End( E) is an order→ in a quaternion algebra. ∈ v. The formal group Eˆ /K associated to E has height 2. b ) If the equivalent conditions in (a) do not hold, then E[ pr] = Z/ prZ for all r 1 , ≥ and the formal group Eˆ /K has height 1 . Further, if j( E) F¯ p, then End( E) is an order in a quadratic imaginary field. ∈ (See Silverman’s “Arithmetic of Elliptic Curves” Chapter V, Section 3 for a proof.) Remark 14. 1. There are further definitions, for instance in terms of sheaf cohomology and residues of differentials. 2. Note that a supersingular curve is not singular. By definition it is an elliptic curve, hence smooth. 3. Item ( ii) explains what we claimed above that End( E) cannot be an order in a quaternion algebra if the curve over a C: for a field to possess a non-trivial purely inseparable extension, it cannot be perfect.

An example of a supersingular elliptic curve is the curve X1 ( 11 ) , reduced modulo the prime 19. (See Section 2.1).

2 Supersingular Primes.

Closely related to the concept of a supersingular elliptic curve is that of a supersingular prime. There are two different definitions, each refer to a different thing.

4 2.1 Supersingular Primes for an elliptic curve over Q.

Definition 15. (Supersingular primes for an elliptic curve) If E is an elliptic curve defined over the rational numbers, then a prime p is supersingular for E if the reduction of E modulo p is a supersingular elliptic curve over the residue field F p.

In his 1987 paper, Elkies shows that there are infinitely many such primes for each elliptic curve over Q. The idea is as follow. The reduction Ep of an elliptic curve E at a good prime p is supersingular if and only if it has complex multiplication by some order OD = Z 1 D + √ D ( D 0 or 3 mod 4) , such that p is ramified or inert in Q √ D .  2 −
 ≡ −

Note that for each D, however, there are only finitely many isomorphism classes of elliptic curves over Q¯ with complex multiplication by OD . Furthermore, the j-invariants of these curves are conjugate algebraic integers. Thus, we can define PD ( X) to be the monic integer polynomial with these j-invariants as roots. Then it makes sense to consider PD ( X) in characteristic p. One of the important results in Deuring’s 1941 paper is the following.

Lemma 16. (Deuring’s Lifting Lemma) Let A0 be an elliptic curve in characteristic p, with an endomorphism α0 which is not trivial. Then there exists an elliptic curve A defined over a number field, an endomorphism α of A, and a non-degenerate reduction of A at a place P lying above p such that A0 is isomorphic to A¯, and α0 corresponds to α¯ under the isomorphism.

For a proof, see Chapter 13, Section 5 of Lang’s “Elliptic Function.” By the above lemma, roots of PD ( X) in characteristic p are j-invariants of elliptic curves with endomorphism 1 D + √ D . This means, suppose J is the value of the j-invariant of E, then if J is a root 2 −
of PD ( X) modulo p, Ep will have complex multiplication in OD ′ where D ′ is a factor of D such that D/D ′ is a perfect square. The criterion is useful because prime factors of PD ( J) are related to D (and J) in a quite definite way, so once we have chosen a nice enough p, the choice of D that satisfies the above condition is in fact very clear. Infinitude is in fact a consequence of the powerful Dirichlet’s theorem that there are infinitely many primes in the progression ax + b where a, b are coprime.

Example 17. Take the curve X ( 11 ) , whose j-invariant is 2 12/11, and let D = 163. Then 1 −

1 + √ 163 12 2 P163( J) = J j − = 2 19 1953065174759/11. −  2 

The primes 19 and 1953065174759 are quadratic non-residues of 163, hence primes of super- singular reduction of E.

Theorem 18. (Elkies) Let S be a finite set of primes. Then E has a supersingular prime outside S.

PROOF. We can assume without loss of generality that S contains all of E’s primes of bad reduction. By Dirichlet’s Theorem, there is a prime l (and always one that is big enough), such that ( 1/l) = 1 , ( p/l) = +1 for every p S. In fact, use the progression − − ∈ p S p x + 1 , or 2 p S p x + 1 if 2  S. Q ∈
Q ∈

5 The only real roots of P and P are j 1 √ l and j √ l , respectively; all others l 4l 2 1 + −

−2 πiz
are in complex conjugate pairs. From the q-expansion j( z) = e− + O(1) as Im( z) , it follows that these real roots go to and as l . Therefore for a fixed J, we→ can ∞ −∞ ∞ → ∞ choose a big enough l such that Pl ( J) > 0 and P4l ( J) < 0.

N Then, suppose Pl( J) P l ( J) = | | . Here D is a perfect square, being the ( deg PlP l) -th 4 − D 4 power of J’s denominator. We claim that N contains a either l itself or a prime that is a quadratic non-residue of l. Either way, we have a supersingular prime of E outside of S.

Suppose otherwise, then N is the product of primes all of which are quadratic residues of l, N and thus N itself is a quadratic residue of l. Thus Pl( J) P l ( J) = | | is a quadratic non- 4 − D residue of l. We reach a contradiction by the following technical fact/lemma.

2 2 Lemma 19. Modulo l, Pl ( X) and P4l ( X) factor into ( X 1728) R ( X) , ( X 1728) S ( X) for some polynomials R( X) , S( X) . − − 

As a direct corollary, there are infinitely many supersingular primes for every elliptic curve over Q. Then it is natural to ask how these primes are distributed (for a specific curve E). In 1976, Lang and Trotter gave a conjecture on the number of supersingular primes less than a bound x. Remember that we need the prime p to be ramified or inert in the field of complex multiplication, and this happens roughly half of the times by Dirichlet’s 1/2 theorem. So the trace of Ep to be distributed roughly evenly in the permitted range 2 p , 1/2 1/2 − 1/2 2 p , and therefore vanish with probability Cp− . Thus there are about C p−
P p

2.2 Supersingular primes and the Monstrous Moonshine conjectures.

For completeness, we include the second definition.

Definition 20. (Supersingular primes) The following are equivalent (by Ogg) and can be taken as a definition:

+ a ) The modular curve X0 ( p) = X0( p)/wp, where wp is the Fricke involution of X0( p) , has genus zero. b ) Every supersingular elliptic curve in characteristic p can be defined over the prime subfield F p. c ) The order of the Monster group M is divisible by p.

In fact they are 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 41, 47, 59, and 71.

These supersingular primes are not referred to with any elliptic curves. The equivalences, although proved by Ogg (by direct computation), were not well understood until Borcherd’s 1992 paper “Monstrous Moonshine and Monstrous Lie Superalgebras.” Ogg’s paper was the starting point of the Monstrous Moonshine conjecture about the strange relations between the Monster group M and modular functions. The conjecture states that there is a unique infinite-dimensional graded M-module whose graded dimensions are the Fourier coefficients of the q-expansion of the j-function:

6 V = m 1 Vm L ≥− such that dim Vm = cm, where

m j( τ) = m 1 cmq . P ≥−

References

R. Borcherds, Monstrous Moonshine and Monstrous Lie Superalgebras, Invent. Math. 109 (1992), 405-444.

M. Deuring, Die Typen der Multiplikatorenringe elliptischer Funktionenkorper, Math. Zeut, 47 (1941), 47-56.

N. Elkies, The existence of infinitely many supersingular primes for every elliptic curve over Q, Invent. Math. 89 (1987), 561-568.

T. Gannon, Monstrous Moonshine: The first twenty-five years, 2004, http://arxiv.org/PS_cache/math/pdf/0402/0402345v2.pdf

S. Lang, Elliptic Functions. New York: Springer-Verlag (1986). Print.

S. Lang; H. Trotter, Frobenius distributions in GL2 -extensions. Lect. Notes in Math., vol. 504. Berlin-Heidelberg-New York: Springer 1976. Print.

A.P. Ogg, Automorphismes des Courbes Modulaires, Seminair Delange-Pisot, Poitou. The- orie des nombres, 7 (1974), 1-8

J. Silverman, Arithmetic of Elliptic Curves. New York: Springer-Verlag (1986). Print.

7